diff --git a/.gitignore b/.gitignore
index 33dce22..1587f8a 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1 @@
-seecrets/**
-**/secrets.nix
+**/secrets/*
diff --git a/flake.nix b/flake.nix
index 9e50429..3fa0630 100644
--- a/flake.nix
+++ b/flake.nix
@@ -11,14 +11,20 @@
       url = "github:nix-community/emacs-overlay";
       inputs.nixpkgs.follows = "nixpkgs";
     };
+    agenix = {
+      url = "github:ryantm/agenix";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
   };
 
-  outputs = { self, nixpkgs, home-manager, emacs-overlay, ... }: {
+  outputs = { self, nixpkgs, home-manager, emacs-overlay, agenix, ... }: {
     nixosConfigurations = {
       enterprise = nixpkgs.lib.nixosSystem {
         system = "x86_64-linux";
         modules = [
           ./hosts/enterprise/configuration.nix
+          ./modules/agenix.nix
+          agenix.nixosModules.age
           (import ./nix.nix)
           (import ./hosts/enterprise/sound.nix)
           (import ./hosts/enterprise/backup.nix)
diff --git a/hosts/enterprise/secrets/maildir_relekarpayas_onedrive.age b/hosts/enterprise/secrets/maildir_relekarpayas_onedrive.age
new file mode 100644
index 0000000..b1b1c2a
--- /dev/null
+++ b/hosts/enterprise/secrets/maildir_relekarpayas_onedrive.age
@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 dy7D9w IFzyPbRh5LLzYH6vDy83SyKzZDS+qF2MEOenMsNtOnQ
+lAx+ygintMnPCDl4rr+iDnud/5bQ63gbbZS43Vtzr5Y
+-> 9M9qX4-grease S`5 jR._GqU {9)a Eub
+eBZQB13O+P1m4DsTWCN8k6RWpeKcqsg5yfm/8n/CaVfMFACclQ
+--- PtyjC9OVjUAdkGz111hZsDkEFjcwNtO1BvJhpn/5x3g
+8p©Ë®ŠÁdÇÜÜŒtLÍ¸kóúî‘Û/{\>ÍOò&”7Åp`–}¸Ñ—°¼?¥kÏ€0Çtò â˜Ï¦re1ÙÃ6>Y*TdÛkÝÕ5ÿ3KpÖ1rœÇ@³« 4ó¶AàÄH7ŒlÛ¥ó´ Í@ð˜ŠƒV×«Rbà
\ No newline at end of file
diff --git a/hosts/enterprise/secrets/mu4e_gmail.age b/hosts/enterprise/secrets/mu4e_gmail.age
new file mode 100644
index 0000000..19d4517
--- /dev/null
+++ b/hosts/enterprise/secrets/mu4e_gmail.age
@@ -0,0 +1,5 @@
+age-encryption.org/v1
+-> ssh-ed25519 dy7D9w yhRM5/w1eepD/nEGCoOzqhN2Ed4WCweQxc5nw90OFFE
+z9/iOzG+to2rcC60yO7nzI6GgIfvZLjHfJr42SrbxLY
+--- tiudW9x74CzCHpASjlnHxN8zKekP/2L4HkqtDwRkm5U
+‹kÊh„ŒA`ŒÑŠ«i¹X±÷´„ Tmøæ‹::¨+W:štÅû±û½â‘û&ýÎì
\ No newline at end of file
diff --git a/hosts/enterprise/secrets/org_relekarpayas_googledrive.age b/hosts/enterprise/secrets/org_relekarpayas_googledrive.age
new file mode 100644
index 0000000..2691bfe
--- /dev/null
+++ b/hosts/enterprise/secrets/org_relekarpayas_googledrive.age
@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 dy7D9w ccKo6iVUtF/88bxSy1B8xnRYBUkbnbi/heOcS0zYEDY
+Rraz/mFj1fR95kJZRCSJ7SRAQUtgHjOZJi0VvzYGmvk
+-> ZwkrMG-grease <?G)_dY N !KANB*" -hB+Su(
+U5LEeJZOBtIWPWGBEQ
+--- yE1a37Lu918LVJumhD9gYvxWb/6OweXzYrOeoC+tnp8
+ã_×ñæâ¢6Ñép4äÕ·Æ‹Þ,«ïÆ}Zf‘?OZÞ£;Ä5§›dCÖ×­_ÄkÂ"dcÓ@ÛC­¹Ê±@BžB›lËižum)±P?¢Ç—²·yÍ0ð(!¢Ëô]â=3‰îæ!I‡{Cúö˜ªêž.kcÛ}»¾ò|í·hàá®
\ No newline at end of file
diff --git a/hosts/enterprise/secrets/org_relekarpayas_onedrive.age b/hosts/enterprise/secrets/org_relekarpayas_onedrive.age
new file mode 100644
index 0000000..bb939aa
--- /dev/null
+++ b/hosts/enterprise/secrets/org_relekarpayas_onedrive.age
@@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> ssh-ed25519 dy7D9w 5OnF9DkSjroG96Q88oo04Q1EINi3wcN/vfyzKALrMww
+kBc2w/X+Od+ouik4AsH7YZlNoZGPfWGt1NXUip9yfwY
+-> g(-grease A
+zT177g
+--- JFz13LrERcGNmpmtjp9IK92FDyAUpxK00Kal7CsYyZ8
+ñþºÆÅn_1ÙH"ž›Q[2Àvh%ê¾E…AînÀÔœÍ¥IáÏE@Í¿s†,Ÿ4]\FÂ[”jöÈ`oÓ¼=}…~®g>•ÈPÎHÈÃ
+e>'¶FÚø÷ÿÞ™·C¹¯'@ðV;ŒÞš¸ÖÛSc$Ð‰@˜`/›E|Uà’aƒtì“
\ No newline at end of file
diff --git a/hosts/enterprise/secrets/secrets.nix b/hosts/enterprise/secrets/secrets.nix
new file mode 100644
index 0000000..efd7a5e
--- /dev/null
+++ b/hosts/enterprise/secrets/secrets.nix
@@ -0,0 +1,10 @@
+let key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPziuF0B4Vj/W434rpshcvQu2KieXjGc8HnwymLapyLu nixos@enterprise";
+in
+{
+  "maildir_relekarpayas_onedrive.age".publicKeys = [ key ];
+  "syncthing_relekarpayas_googledrive.age".publicKeys = [ key ];
+  "syncthing_relekarpayas_onedrive.age".publicKeys = [ key ];
+  "org_relekarpayas_googledrive.age".publicKeys = [ key ];
+  "org_relekarpayas_onedrive.age".publicKeys = [ key ];
+  "mu4e_gmail.age".publicKeys = [ key ];
+}
diff --git a/hosts/enterprise/secrets/syncthing_relekarpayas_googledrive.age b/hosts/enterprise/secrets/syncthing_relekarpayas_googledrive.age
new file mode 100644
index 0000000..745081a
--- /dev/null
+++ b/hosts/enterprise/secrets/syncthing_relekarpayas_googledrive.age
@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> ssh-ed25519 dy7D9w O2oC8+mG4ddds/vWrEgoKcH/08Uf+Asb+5IMvHFaC04
+zTptkB7UdU0BGm2tOUTjllYHsv3tEkt+k61VgyCnnZw
+-> A$-grease 2MWD =a@~f
+h1ff7UE4JFUCf2hRMDEBnOrsvbEztceDSaMVTyzzzsf+D9TYLeA7Liv8zJuOu1PV
+pTCXhpWqO0Th9ol9fJc3eQ7MxuiGOSGm6H65HPIjgxWJNSLmNg
+--- vbumS83Qmuc1aOt0o7Rut1P5kSVix/AKL7SLJBKVD6A
+-›:VÅøhN¡Õëüû41þž¨N<ÃY´­­ãirò­
+€uÏßÂ'q#P—xJLd‰ë9v:4äŽ7rpÝ&º\CÒ]=ê9uWÙÍ÷…r£¹ñÆkdÇ>+ç@·!ÍÞy@W“o$ñþ|(žD¨4G0&ýÔÝ¡
\ No newline at end of file
diff --git a/hosts/enterprise/secrets/syncthing_relekarpayas_onedrive.age b/hosts/enterprise/secrets/syncthing_relekarpayas_onedrive.age
new file mode 100644
index 0000000..9c1f0d0
--- /dev/null
+++ b/hosts/enterprise/secrets/syncthing_relekarpayas_onedrive.age
@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> ssh-ed25519 dy7D9w cC14jHh4xEnU4ytYVPvsHFItTP32ejCva6JIfyL7yCg
+OynqzGM3787awMhBuUuSq3+LNiw8BQbQzPDH3fx08aU
+-> 1}N-grease 63VK8 ' \ S=if
+ZACSbwxOec//qcHEPOWoc9lTTcf6eIK2g2Bw4xXjqYD5/F08jXx5By4REgLsvg7h
+jzGImN08q5msOunmJNlc5AV2lWvUVU7860sn/5ZLJQ5/F9G5Rl2fK7xs
+--- 8m6Tz3ExeYuw/IiMYJu3jGbTqhQNaKXNc7Y6BIDQuxc
+Fgî);ÐÍ­CdÓ=gA/"´¥:ë-Ã]ºº@XñgOÌ2j…Ÿ=«Ø7,ð”WäãŠ?påd´Dæßÿ_ÙëI†ŸqVóóÝ®°‹‘nzù¢í‹œ—è!y[i’hC¨f³\Ãú@AL_©R+\ÅýNCK?Q÷
+íã
\ No newline at end of file
diff --git a/modules/agenix.nix b/modules/agenix.nix
new file mode 100644
index 0000000..36d9eb7
--- /dev/null
+++ b/modules/agenix.nix
@@ -0,0 +1,41 @@
+{ config, options, agenix, lib, pkgs, ... }:
+
+# copied pretty much verbatim from hlissner's dotfiles repo:
+# https://github.com/hlissner/dotfiles/blob/4539d607778820cd6fd97b6c81c1cfcd6cb7e226/modules/agenix.nix
+#
+# I get the idea and understand what the code does, but it will probably take a while to fully write
+# something like this myself
+
+with builtins;
+with lib;
+let
+  secretsDir = "${toString ../hosts}/enterprise/secrets";
+  secretsFile = "${secretsDir}/secrets.nix";
+  payas = "payas";
+in
+{
+  # imports = [ agenix.nixosModules.age ];
+
+  # TODO: Find a way to make agenix available in the runtime NixOS evaluation
+  # environment.systemPackages = [ agenix.defaultPackage.x86_64-linux ];
+
+  age = {
+    secrets =
+      if pathExists secretsFile
+      then
+        mapAttrs'
+          (n: _: nameValuePair (removeSuffix ".age" n)
+            {
+              file = "${secretsDir}/${n}";
+              owner = payas;
+            })
+          (import secretsFile)
+      else
+        { };
+    identityPaths =
+      [
+        "/home/payas/.ssh/id_ed25519"
+        # "/home/payas/.ssh/id_rsa"
+      ];
+  };
+}